“Hackers are welcome!” – Google

As the title suggests, Google has an interesting way of getting hackers to divert their attention from harmful hacking to “beneficial” hacking.

The “Google Play Security Reward Program” was launched to identify and fix vulnerabilities in Apps listed on Google play. Google teamed up with a vulnerability coordination and bug bounty platform called HackerOne so that they use HackerOne’s platform to locate and fix vulnerabilities. The way this program works is that Developers or Hackers, who wish to take part in the program, will be given access to the platform and will be required to identify, respond and fix bugs in a timely manner. The idea is to find the resolution for the vulnerability as fast as possible or take a maximum of 90 days to fix the issue. In return, if the resolution meets Google’s criteria, the developer/hacker will receive $1000 for every resolved vulnerability. Google has establish a stringent policy where these developers/hackers will have follow HackerOne’s disclosure guidelines and provide detailed reports of the vulnerabilities. Currently, the Apps participating in the Program are Alibaba, Dropbox, Duolingo, Headspace, Line, Mail.ru, Snapchat & Tinder but Google has said that the list is only going to grow. Google’s new approach to tackling IT Security issues has definitely turned heads, but is this something that will be followed by other companies? Only time can tell.

8 Responses to “Hackers are welcome!” – Google

I think that this a creative initiative to take. For Google, this can only help them because they are opening up a platform to the public to see if any random person is able to hack into the platform they created. This will show them if there are flaws in the platform while giving the people doing it a great incentive to involve themselves in the competition.

As a Google Play user, I feel much safer after Google launched this creative reward program because when every person can check its vulnerabilities, flaws will be fixed faster and fewer safety flaws will occur. From companies’ perspective, by inviting “hackers” outside from companies, employees can learn from them and improve their expertise at a relatively low cost.

From consumers’ perspective, I think every company should have this kind of program so they can protect consumers and educate employees simultaneously if they have enough funds. However, companies may expose themselves to the risk of having under protective but irrelated to their core business’ websites or applications to their users and lost reputation when they don’t have Google-like professional programmers.

This bug bounty platform is definitely a very creative way to solve today’s cybersecurity issue.
As more and more companies and organizations rely on their information technology systems for their day-to-day operations, the security of the systems become more vulnerable and critical. Because of the nature of the cybersecurity, almost every system flaws and bugs are different, which makes the attacker become the best defender at the same time. While the ordinary attackers hack the system for money or simply the sense of achievement, the companies suffer a significant loss from their action.
Now with this HackerOne platform, the companies and the hackers can achieve win-win solutions. The company can pay a small amount bonus to the hacker who fix vulnerabilities to prevent potential cyber attacks. Moreover, Google or government have the ability to lock on the cyber attack suspect easier because now they can have the profile of those hackers. Overall, this platform may become the disruptive innovation to current cybersecurity consulting firms.

I wonder what impacts Google has seen so far! One of the first things I thought of when reading your post was about the cost/benefit analysis of this program. I’m curious about how Google arrived at the $1000 number, and how often they actually make payouts. How does this nontraditional investment compare to how much money other companies invest in cybersecurity? And what part of their budget did Google take that money from? I also wonder if this will establish some sort of “hacking consultant” trend where these hackers offer their services to other companies as well – seems like a lot of room for interesting things to happen!

It’s such a good and creative idea to build a more stable platform/service for customers. The program is a way that Google recognizes the value of external talents contribution to keep users safe. Gathering contribution from different people is like a group brainstorming. Besides of fixing bugs, bounty rewards is alo a motivation for the researcher to participate.

Ethical hacking will be such an important part of cybersecurity in the future. As understood by Google, this is true in the private sector. With its deep pockets, Google certainly has the cash to pay hackers who find security breaches in their systems and those of the apps on Google Play. Plus, Google and other companies would rather have hackers hacking for them than against them. However, the private sector isn’t the only one in need of ethical hacking against their systems and practices. With all of the trouble caused by the Russian government this past election cycle, the public sector will also need people like ethical hackers to ensure that their systems cannot be compromised.

I believe that any innovative company would or already has utilized hackers to help eliminate vulnerabilities. As Matt stated above I would not be surprised if the public sector begins to utilize hackers to prevent any manipulations of our elections as well as any other systems vulnerable to hacking. Google is empowering people with unique skills and paying them for their work resulting in Google being more protected from security breaches.

The initiative that google has taken to promote ethical hacking is really impressive because of how it welcomes hackers to hack their platforms. This can only benefit google because it will solve issues that are already happening and future issues to come. However, the bounty that google offers could be subjective because of the intentions of the hacker. Sure there are ethical hackers out there but in the case where the hacker finds something really valuable, it can raise a question of ethics. Since hackers are free to hack the platform, they can use their exploits to harm the company or turn it in for cash. I feel like the reward base on the bug that is discovered should vary. Google has the money to offer more incentives and because of the flat $1000 for discoveries, it might not be enough for some hackers.